Press Releases

11 April 2011

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Epsilon and its parent company, Alliance Data, have posted two press releases about the breach.

Epsilon has stated that the names and email addresses of their clients' customers were taken. Presumably the attackers were also able to access the names of each client.

What does this mean for consumers?

If you received a notification from one of Epsilon's clients, the thieves know your name and email address. Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

Do the criminals have any more information about me?

While it's common for the contents of an email message to include more personal information than your name and email address, as far as we know, this information was not stolen. Often times, different data is stored in different places, and the thieves may have not been able to access the contents of previously sent messages. There is a pretty good explanation of the way these marketing databases generally work here

My address was lost in the Epsilon breach; CAUCE says the only way protect myself against phishing is to change my address. Isn't that is a rather extreme approach?

Anti-virus software catches new malware about 20% of the time, leaving computer end-users exposed to a tremendous amount of viruses, keyloggers, and spyware, and other bad things. Anti-spam software does a pretty good job, getting well upwards of 90% of all spam, but some trickles through. We know that phishing attempts were successful at companies, ESPs, who were on high alert for the attempts.

While some phishing attempts are obvious, almost silly, others can be extremely difficult for end-users to recognize. Our friends at Word to the Wise took apart a legitimate email from an Epsilon client-company, and even email experts had a hard time determining if the email was real. See their article ‘Real. Or. Phish?’.

If your email was lost by a client company of Epsilon, we stand by our suggestion that changing your address is the best way to avoid receiving and having to deal with the phishing emails and other spam that will inevitably come from this data theft. Even if you don't want to abandon your current address entirely, this would be a good time to set up a new address and move your important communications there.

I unsubscribed from a customer list at Epsilon, and still received a notification from them. Isn’t this illegal?

It is arguably illegal under some laws, but it makes good sense that they did mail you. It doesn’t mean you weren’t unsubscribed. Here’s how it works: When you unsubscribe from an emailer’s list, they put your address into what they call a ‘suppression list’. The criminals presumably stole these too. The companies did the right thing by alerting you to the fact that your address was stolen.

How can I unsubscribe from everything at Epsilon?

Epsilon maintains a list of places where you can unsubscribe from a variety of their clients' newsletters.

We do not know if this will ensure that another of their clients will not upload your address to Epsilon in the future, and of course there are many other ESPs out there.

Are the authorities involved? Can I sue someone?

Epsilon is reportedly working with the Secret Service, presumably because information related to bank and credit card clients was lost. Previously, some of the companies who were targets or victims of the previous series of breaches (which, again, may not be connected to the Epsilon incident) have been working with law enforcement.

The Australian Communications and Media Authority and Australian Privacy Commissioner are aware of the attack, having been alerted to it by Dell Australia, whose data was stolen. The breach may prompt an investigation by the UK Information Commissioner's Office, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are investigating, and have written a letter to Attorney General of the United States asking him to investigate. Leaders of the House Energy and Commerce panel in the United States have written to the CEO of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.

You could try to sue someone: the company holding your data, or Epsilon, or both. There may be class action lawsuits coming out of this, as well as lawsuits by Epsilon’s client companies. If you do file with a class-action, you should not expect a large financial settlement, as these are generally quite small.

CAUCE suggests that if you live in a relevant jurisdiction, you can file a complaint with the local authorities about the breach:

If you have incurred a financial loss as a result of any phishing attack, or see suspicious activity on your bank account, contact your financial institution to alert them and report your credit card stolen immediately. Then, call your local and federal police forces to file a complaint (the bank will not do this for you).

BACKGROUNDER

How was the hack accomplished?

Epsilon has not released details about the mechanics of the breach. If it is similar to the hacking attempts targeted at ESPs last year, the hackers may have used social engineering and spear-phishing techniques, leading to an employee mistakenly typing their username and password into a web page controlled by the hacker. However, at this time, we do not know what happened or whether there's any connection to the previous attacks.

Has Epsilon been hacked before?

Maybe. Epsilon has not publicly admitted to any previous attack, but their customer Walgreens has indicated that this is the second time they have lost data by way of Epsilon.

“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.” – Walgreen spokesperson, via databreaches.net

Is the Epsilon breach part of the previous series of attacks on the ESP industry?

These attacks appear to have begun as early as November 2009, the first victim being a company called aWeber.

Typically, the criminals would hack into an ESP by sending an employee an email that infected them with keylogger spyware, take over one of their client accounts, and send spam for fake Adobe or Skype software. More than a dozen different ESPs, including Epsilon, were targets or victims of these attacks in 2010.

It is impossible to say if this is the same as what happened to Epsilon more recently. Adobe or Skype spam was seen during previous breaches. This did not happen with the current breach with Walgreen or any other Epsilon customer.

This could have been the same group, using the same point of attack. It could have been a copycat using the same tactics, or an entirely different approach. We do not know, and there are too many variables for anyone to say they know definitively — though if Epsilon were to share what they know with the security community, it's likely that we could understand quite a bit more.

Did Epsilon have lax security?

We do not know what changes they made after their first breach, so it is impossible to say.

Were there things they could have done to improve security?

Obviously — they were hacked, after all. Epsilon will presumably address whatever let the hackers get into their systems this time, but any security professional will tell you that security is never perfect. What appears secure today may be exploited tomorrow.

There are many steps ESPs can take to much improve their security related to client lists and outbound email – we have listed them here

I heard that someone warned ESPs about breaches in November.

They did. Return Path provides services to ESPs, blogged about their own breach, and those at ESPs in November 2010. In fact, the ESP industry was becoming aware of this series of breaches all the way through 2010, as they were happening.

Security isn’t 100%? Why?

Software, and the way it interacts with various web applications is very complicated. Many sites do not, or cannot update all components that go into a web application, because to do so may break functionality on the site, or they are negligent. Home computers are pretty much the same. Microsoft, for example, issued 67 updates this past ‘Patch Tuesday’. Have you updated your computer?

Who is the real victim here?

You are. Epsilon suffered the initial attack. Their clients suffer as well, losing consumer trust. There may also be marketing or advertising agencies involved. But as far as CAUCE is concerned, the people who stand to suffer the most are the regular Internet users who trusted that the major brands whose products they enjoy would keep their email addresses and other personal information safe and secure. If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business.

These past few weeks have seen a tremendous amount of press coverage with regard to Bill C-27 currently in from of the Standing Committee on Industry, Science & Technology.

We have seen parties previously supporting an opt-in régime in Canada, and publicly supporting the bill in the press and to the committee change their stance.

The Coalition Against Unsolicited Commercial Email, with 50,000 members has not: We encourage you and the committee to stand fast in this regard. An opt-out regime is what is made legal in America, by way of the CANSPAM act, and the United States is by far the main source of spam on the Internet today.

08 June 2009

CAUCE North America Inc.--The Coalition Against Unsolicited Commercial Email (http://CAUCE.org)--Today announced at The Messaging Anti-Abuse Working Group meeting (MAAWG) that it has received additional financial support from Return Path Inc.

06 June 2007

CAUCE North America Debuts - New anti-spam advocacy group combines CAUCE
Canada and CAUCE US

Montreal and Los Angeles, June 06, 2007 -- Neil Schwartzman, chair of CAUCE
Canada, and Scott Hazen Mueller, chair of CAUCE U.S., today announced the
formation and launch of CAUCE North America to build upon the work of their
previously separate organizations.

CAUCE North America is now the premiere anti-spam advocacy group,
representing the interests of the millions of Internet users in North
America. The combined group will work towards equitable solutions for the
original threat posed by spam since the 20th century, and Spam 2.0, the
21st-century blended threat posed by the merging of spam, viruses, phishing
and malware.

"When we launched the original CAUCE, back in 1997," said Scott Hazen
Mueller, founder of CAUCE U.S. and now President of CAUCE North America,
"spam was an isolated problem and it was seen by many as unimportant. Now,
spam is part of a multi-pronged assault by various criminal organizations
attacking the very basis of trust on the Internet. If this threat is not
met soon, users will continue to migrate away from the Internet for their
commercial needs."

16 December 2004

The Coalition Against Unsolicited Commercial E-Mail (CAUCE) is disappointed by the enactment of a weak anti-spam law.

This legislation fails the most fundamental test of any anti-spam law, in that it neglects to actually tell any marketers not to spam. Instead, it gives each marketer in the United States one free shot at each consumer's e-mail inbox, and will force companies to continue to deploy costly and disruptive anti-spam technologies to block advertising messages from reaching their employees on company time and using company resources.

It also fails to learn from the experiences of the states and other countries that have tried "opt-out" legal frameworks, where marketers must be asked to stop, to no avail. In fact, the law will preempt an opt-in law set to go into effect in California on January 1, 2004, which was passed after an state opt-out law similar to the new federal law was found to be a failure.

In addition, the law's weak provisions are further crippled by limiting enforcement to overworked regulatory and law enforcement agencies, rather than giving consumers legal tools with which to protect their own inboxes.

CAUCE is also disappointed that both the House and Senate versions of this law were passed without any public hearings, instead being written and passed solely through back-room compromises and with the input of the marketing industry and Internet Service Provider lobbies, but with scant regard for the interests of America's consumers and business Internet users.

"This law does not stop a single spam from being sent. It only makes that spam slightly more truthful. It also gives a federal stamp of approval for every legitimate marketer in the U.S. to start using unsolicited e-mail as a marketing tool. Congress has listened to the marketers and not to consumers, and we have no faith that this law will significantly reduce the amount of spam that American Internet users recieve." — Scott Hazen Mueller, CAUCE Chairman

We are writing you to express our concerns regarding several pieces of anti-spam legislation that have been introduced or are currently being prepared for introduction. As anti-spam and consumer advocacy organizations that have worked on the spam problem for several years, we have closely analyzed many of today's current anti-spam laws, in the United States and abroad, and we would like to offer our opinion on what we have become convinced are the only legislative measures that will make any meaningful difference in the lives of consumers. At present, none of the legislative proposals currently being considered in Congress contain the measures we recommend; rather, they repeat many of the legislative mistakes that have exacerbated the unsolicited commercial email problem, permitting it to grow to the epidemic proportions it has reached today.

First and most importantly, to have any meaningful effect on the growing volume of unsolicited email, any law should prohibit the sending of unsolicited bulk commercial email. Any law that defines acceptable criteria for sending unsolicited bulk commercial email will amount to little more than establishing the conditions for a federal license to spam. The vast majority of online marketing organizations have active and robust permission-based marketing programs that generate significant profits using "opt-in" business models. By establishing an "opt-out" legal regime, Congress would undercut those businesses who respect consumer preferences and give legal protection to those who do not.

An opt-in criterion, requiring the affirmative prior consent of the addressee, is essential to reduce the rising tide of spam, while an opt-out law gives safe harbor to ever-growing floods of unsolicited bulk commercial email. Opt-out places the burden on consumers to remove themselves from potentially tens of thousands of mailing lists that they never wanted to be on in the first place. Because most consumers do not wish to interact with the senders of unsolicited bulk commercial email, few consumers will have the time or inclination to comply with hundreds or thousands of different variations of opt-out procedures.

We also note that opt-out has proven disastrous in South Korea, where the legislature is now scrambling to enact opt-in legislation. Furthermore, opt-in is the law in the European Union and soon to be law in several other countries. Therefore any company operating on a global basis will not be placed under a unique or undue burden by treating American consumers in a consistent fashion. Ultimately, the opt-out approach supported by some direct marketers places their own business convenience over the best interests of American consumers. If Congress accepts their approach, it will condemn consumers to lives with more unsolicited email, not less.

Second, individuals who receive spam should have a private right of action allowing them to recover liquidated damages for violations of the law. It is important that Federal agencies, state Attorneys General and ISPs should also be able to sue spammers, but as it was made clear by Washington's Attorney General at the Federal Trade Commission's Spam Forum (April 30 - May 2, 2003), the only way you will see meaningful enforcement of anti-spam laws is to give the individual victim the right to sue. Federal agencies and state Attorneys General have made it quite clear that they do not have the resources needed to enforce new anti-spam laws. If it is the intent of Congress that any anti-spam law actually be enforced, Congress has two choices: appropriate massive amounts of new funding to all of the responsible law enforcement agencies, or empower consumers to bring their own actions.

The individual private right of action created against junk faxers in the Telephone Consumer Protection Act of 1991 (TCPA) has worked well to keep junk faxes at a tolerable level without any added expense to law enforcement, and without creating the much-hyped "flood of unwarranted litigation" that critics erroneously cite. The TCPA does this by creating an action at the lowest court in a state, typically a small claims court. If floods of litigation are feared, there are ways to create a private right of action for individuals that sharply limit that potential. But a failure to create an individual private right of action will ensure extremely limited enforcement, much as we see today with existing state laws.

Third, a federal law should not preempt stronger state law, particularly if the federal law fails to meet the two criteria above. As with all consumer protection, federal law should set a floor, not a ceiling, and should give victims the ability to bring their actions in any court that provides a competent and convenient forum. By preempting state laws with an ineffective federal law, and by giving federal courts sole jurisdiction to hear cases, Congress would strip away what little protection consumers already have under the handful of strong state anti-spam laws.

All the proposed bills we have seen fail on these three fundamental counts. At the Federal Trade Commission Spam Forum, a substantial majority of the expert participants very clearly articulated that to be effective, spam legislation needed to be opt-in and contain a private right of action.1 (The only dissenting opinions came from spammers and the Direct Marketing Association.) Recent proposals not only ignore this consensus and side with the spammers, they include exemptions that seem to have been designed to make life easier for spammers.

For example, the draft bill being circulated among committee staff at Energy and Commerce and the Judiciary Committee makes an opt-out choice only effective for three years and would permit a company to send unsolicited email for any product in their portfolio, while forcing consumers to opt-out each time they receive an unwanted mailing. We ask you to envision how this process will play out in a real-world situation, wherein the estimated 23 million small businesses in America could send email to consumers, requiring an individual to opt-out every three years. By creating such a potential, it is a gross misnomer to label a bill containing such provisions as "anti-spam" legislation; the burdens shifted onto consumers by such a bill are more properly described as "anti-consumer" or "pro-spam."

In the last several years, many of the ideas embodied in the current "anti-spam" legislative proposals have been demonstrated to be ineffective and in some cases likely to exacerbate the spam problem. We urge you to not simply reintroduce discredited approaches, but to move past them and look to solutions that have a real chance of making a difference. In the coming days, we will be contacting your staffs with recommendations for addressing the specific concerns we have with the current proposals, and will suggest ways of getting to a simple and fair bill that gives individual consumers, businesses both small and large, educational institutions, charitable organizations, and government itself, the means to defend themselves.

1 There were many other lessons learned at the Federal Trade Commission Spam Forum that have not been reflected in any of the current proposals. For example, many participants provided evidence that opt-out "anti-spam" laws have resulted in greater and greater volumes of unsolicited email. Many panelists stated that even criminal penalties for certain deceptive spamming practices will not substantially reduce the volume of spam if unlimited quantities of non-deceptive spam are given safe harbor under law. Similarly, advances in spamming technology have made irrelevant provisions against "harvesting" of email addresses; many such email lists have already been compiled, and spammers are now moving on to "dictionary attacks" which dispense with lists altogether and simply use systematic guesswork.